Privacy Policy

1. Who We Are and What This Policy Covers

Sasto Technologies Inc. ("Sasto," "we," "us," "our") operates a behavioral health compliance platform used by addiction treatment facilities to monitor patient recovery engagement outside of clinical settings. This Privacy Policy explains how we collect, use, disclose, and protect information in connection with the Sasto Mobile Application and Clinician Platform.

Sasto operates as a Business Associate under HIPAA and as a Qualified Service Organization under 42 CFR Part 2. This means that the information we handle on behalf of treatment facilities is subject to some of the strictest health privacy laws in the United States.

2. Information We Collect

2.1 Information Collected from Patients (Mobile Application)

Account Information. Your name and enrollment information as provided by your Facility at setup. Sasto does not independently collect your personal information — your Facility provides it as part of enrolling you in the program.

Geolocation Data.Precise GPS coordinates, Wi-Fi positioning data, and cellular network location data collected during check-in events and, depending on your Facility's configuration, at scheduled intervals. This is the core data the Platform uses to verify your recovery schedule compliance.

Check-In and Compliance Data. Records of completed and missed check-ins, your recovery schedule, and compliance status reports generated from your activity on the Platform.

Device Information. Device type, operating system version, device identifiers, and app version, used to maintain Platform functionality and diagnose technical issues.

Communications.Messages and communications you send through the Platform's care team communication features.

Usage Data. How you interact with the Mobile Application, including feature usage and session information, used to improve the Platform. This data is aggregated and de-identified before use.

2.2 Information Collected from Health Care Practitioners and Staff (Clinician Platform)

Account Information. Name, professional title, email address, and credentials as provided by your Facility at setup.

Professional Credentials. Licensure and certification information where required by your Facility or by applicable law.

Platform Activity. Actions taken on the Clinician Platform, including access to Patient records, Escalation Event responses, and configuration changes, maintained as audit logs for HIPAA compliance.

Device and Access Information. IP address, device type, browser type, and login timestamps, maintained for security monitoring and audit purposes.

Communications.Messages sent to Patients through the Platform's communication features.

Cookie Data. Session and functional cookie data as described in Section 7 of the Terms of Service. Analytics cookie data is aggregated and anonymized.

2.3 Information We Do Not Collect

Sasto does not collect:

• Payment or billing information from individual users (billing is handled directly between Sasto and your Facility).
• Social Security numbers or government identification numbers from Platform users.
• Biometric data (fingerprints, facial recognition) from Platform users.
• Information from children under 13 without parental consent through Facility enrollment procedures.

3. How We Use Information

3.1 To Provide the Platform Services

The primary use of all information collected through the Platform is to deliver the compliance monitoring services that your Facility has contracted for. This includes:

• Verifying check-in compliance and generating compliance reports for your care team.
• Triggering Escalation Event alerts when configured thresholds are reached.
• Enabling communication between Patients and their care team.
• Maintaining the Clinician Platform dashboard for Health Care Practitioners.

3.2 For Platform Improvement and Research

Sasto uses de-identified and aggregated data derived from Platform usage to improve the Platform, develop new features, and conduct internal research. This data is de-identified in accordance with HIPAA's Safe Harbor standard (45 CFR § 164.514(b)) before any such use and cannot reasonably be used to identify any individual.

Sasto does not use individually identifiable Patient information to train artificial intelligence or machine learning models without a separate documented approval process involving the Privacy Officer. Any such use is consistent with Sasto's De-Identification Policy and applicable customer agreements.

3.3 For Communications

Sasto uses contact information to send Platform-related communications, including check-in reminders, escalation alerts, and care team messages, as configured by your Facility. Sasto does not send marketing or promotional communications to Patients.

3.4 For Legal Compliance and Security

• To comply with applicable law, including HIPAA, 42 CFR Part 2, and state health privacy laws.
• To investigate and respond to security incidents.
• To enforce these Terms.
• To respond to valid legal process reviewed by legal counsel, subject to the 42 CFR Part 2 restrictions described below.

4. How We Share Information

4.1 With Your Treatment Facility

Patient Geolocation Data and compliance records are shared with your Facility's authorized Health Care Practitioners and staff through the Clinician Platform. This is the core function of the service. Your Facility is responsible for ensuring that only authorized personnel access your information.

4.2 With Subcontractors

Sasto uses cloud infrastructure and technology subcontractors to operate the Platform. All subcontractors who have access to Patient information are required to execute a Business Associate Agreement with Sasto committing to HIPAA-equivalent data protection obligations. Sasto maintains a current inventory of all vendors with access to Patient data.

4.3 As Required by Law

Sasto will disclose information when required to do so by applicable law. For Patient information subject to 42 CFR Part 2, Sasto will not disclose records to law enforcement, courts, or government agencies without a court order that specifically complies with the requirements of 42 CFR Part 2. A general subpoena, warrant, or administrative request is not sufficient to compel disclosure of Part 2 protected records.

4.4 In Connection with a Business Transaction

If Sasto is involved in a merger, acquisition, sale of assets, financing, or similar transaction, Customer Data and user information may be transferred to a successor entity as part of that transaction, subject to the successor's assumption of Sasto's obligations under applicable BAAs and these Terms. Sasto will provide notice of any such transaction that affects how your information is handled.

4.5 What Sasto Does Not Do

Sasto does not:

• Sell, rent, lease, or license Patient information to any third party for commercial purposes.
• Share Patient information for advertising, marketing, or commercial purposes.
• Disclose that any individual is or was enrolled in a substance use disorder treatment program without a compliant patient authorization or a court order that meets the requirements of 42 CFR Part 2.
• Share Patient information with an employer.
• Use Patient information to support any law enforcement investigation or prosecution absent a valid 42 CFR Part 2 court order.

5. HIPAA and Your Health Information Rights

Because Sasto operates as a Business Associate of your treatment facility, your primary HIPAA rights — including the right to access your records, request amendments, and receive an accounting of disclosures — are exercised through your Facility, not directly through Sasto. Your Facility is the Covered Entity responsible for honoring these rights.

When your Facility directs Sasto to fulfill a patient rights request (for example, providing you access to your compliance records), Sasto will do so within 30 days of receiving the direction, with one 30-day extension available upon notice. If you have questions about your health information rights, contact your Facility's Privacy Officer first. If your Facility is unable to assist, contact Sasto at privacy@sasto.ai.

6. California Privacy Rights

6.1 California Confidentiality of Medical Information Act (CMIA)

Sasto's handling of Patient information in California is subject to the California Confidentiality of Medical Information Act (Cal. Civ. Code § 56 et seq.) in addition to HIPAA and 42 CFR Part 2. Under CMIA, Sasto does not sell, rent, lease, or otherwise disclose medical information about California residents for commercial purposes. Any disclosure of medical information requires written patient authorization unless a specific CMIA exception applies. CMIA violations carry civil liability of up to $1,000 per negligent violation and up to $3,000 per willful violation, in addition to actual damages and attorneys' fees.

6.2 California Consumer Privacy Act / California Privacy Rights Act (CCPA/CPRA)

To the extent CCPA/CPRA applies to information Sasto processes about California residents that is not covered by HIPAA or CMIA (such as information about Facility administrative contacts or Clinician Platform users accessing from California), those California residents have the following rights:

• Right to Know: Request disclosure of the categories and specific pieces of personal information Sasto has collected about you, the sources of collection, the business or commercial purpose for collection, and the categories of third parties with whom Sasto shares it.
• Right to Delete: Request deletion of personal information Sasto has collected, subject to legal exceptions including HIPAA record retention requirements.
• Right to Correct: Request correction of inaccurate personal information Sasto holds about you.
• Right to Opt Out: Opt out of the sale or sharing of personal information — Sasto does not sell personal information and does not share it for cross-context behavioral advertising.
• Right to Limit Use of Sensitive Personal Information: Request that Sasto limit the use of sensitive personal information (which includes health information and precise geolocation) to purposes necessary to provide the services.
• Right to Non-Discrimination: Sasto will not discriminate against you for exercising any of these rights.

To exercise your California privacy rights, email privacy@sasto.aiwith the subject line "California Privacy Rights Request." Sasto will respond within 45 days, with one 45-day extension available upon notice. Sasto will verify your identity before processing your request.

6.3 California Geolocation — Additional Notice

The Sasto Mobile Application collects precise geolocation data (as defined in California Civil Code § 1798.140) from enrolled Patients. This data is sensitive personal information under CPRA. Sasto uses precise geolocation data solely for the treatment compliance monitoring purposes described in this Privacy Policy and does not use it for any other commercial purpose. You have the right to limit Sasto's use of your precise geolocation data to the purposes described herein by contacting privacy@sasto.ai.

7. Data Retention

Geolocation Data.Retained for the period specified in your Facility's agreement with Sasto, or if not specified, for no more than six (6) months following the end of your enrollment, after which it is permanently deleted unless a longer retention period is required by applicable law.

Check-In and Compliance Records.Retained for the period of your enrollment plus any additional period specified in your Facility's agreement or required by applicable law.

Clinician Platform Audit Logs. Retained for six (6) years as required by HIPAA. Audit logs for ePHI access cannot be deleted on request due to regulatory requirements.

Communications.Retained for the duration of your Facility's agreement with Sasto plus any period required by applicable law.

Device and Access Logs (Clinician Platform). Retained for six (6) years for HIPAA audit compliance.

Cookie and Analytics Data. Session cookies expire when you close your browser. Analytics data is aggregated and retained for 12 months rolling.

De-identified Platform Data (Sasto Data).May be retained indefinitely as it is not subject to HIPAA or Part 2 retention limits following de-identification in accordance with Sasto's De-Identification Policy.

Minor Patient Data. Subject to the same retention schedules as adult Patient data. Parental deletion requests are processed within 30 days.

8. Data Security

Sasto implements administrative, technical, and physical safeguards to protect information processed through the Platform, including:

• Encryption of all data in transit using TLS 1.2 or higher.
• Encryption of all data at rest using AES-256 or equivalent.
• Role-based access controls limiting access to authorized personnel only.
• Multi-factor authentication required for all Clinician Platform and administrative system access.
• Audit logging of all access to and material changes to Patient records.
• A written incident response plan governing detection, containment, and breach notification procedures.
• Annual review of security controls by the Security Officer.

No security system is impenetrable. In the event of a security incident affecting your information, Sasto will notify your Facility in accordance with our Business Associate Agreement and applicable law, without unreasonable delay and no later than 30 calendar days after discovery of the incident.

9. Breach Notification

If Sasto discovers a breach of unsecured protected health information, we will notify your Facility without unreasonable delay and no later than 30 calendar days after discovery. Your Facility is the Covered Entity responsible for notifying you of any breach in accordance with HIPAA's Breach Notification Rule.

For breaches involving California residents' personal information (beyond HIPAA's scope), Sasto will comply with California Civil Code § 1798.82, which may require notification to affected individuals and the California Attorney General when the breach involves more than 500 California residents.

For breaches involving New York residents' private information (beyond HIPAA's scope), Sasto will comply with New York General Business Law § 899-aa, which requires notification to affected individuals, the New York Attorney General, the Department of State, and the Division of State Police. Where HIPAA and New York law both apply, Sasto will comply with whichever provides greater protection to affected individuals.

All breach notification records are retained for six years as required by HIPAA.

10. Children's Privacy

The Sasto Platform is not directed at or intended for use by anyone under the age of 13. Sasto does not knowingly collect personal information from children under 13 without verifiable parental consent through Facility enrollment procedures.

For users between 13 and 17, see Section 9.2 of the Terms of Servicefor the full description of Sasto's practices and parental rights regarding minor patient data. Parents and guardians may exercise data rights on behalf of minor patients by contacting privacy@sasto.ai.

11. Changes to This Privacy Policy

Sasto may update this Privacy Policy from time to time to reflect changes in our practices, applicable law, or Platform features. We will notify users of material changes through the Platform or by email at least 30 days before the changes take effect. Continued use of the Platform after the effective date of a change constitutes acceptance of the updated policy.

All prior versions of this Privacy Policy are retained and available upon written request to privacy@sasto.ai.

12. Contact Us

For questions, concerns, or requests related to this Privacy Policy or your privacy rights:

Privacy Officer: Matthew O'Meara, CTO — matthew@sasto.ai · privacy@sasto.ai
CEO / Escalation: Jesse Rubin — jesse@sasto.ai
California Rights Requests: Subject "California Privacy Rights Request" — Response within 45 days
Arbitration Opt-Out: Subject "Arbitration Opt-Out" — Must be submitted within 30 days of first Platform access
Mailing Address: Sasto Technologies Inc., 6359 West 6th Street, Los Angeles, CA 90048

Appendix A: Apple App Store Privacy Nutrition Label

This appendix maps Sasto's data collection to Apple's required Privacy Nutrition Label categories.

Data Used to Track You

None. Sasto does not use data from the Sasto Mobile Application to track users across third-party apps or websites and does not share data with data brokers.

Data Linked to You

Health & Fitness. Check-in compliance data, escalation events, and recovery schedule information linked to your enrolled account.

Location. Precise geolocation (GPS, Wi-Fi, cellular) linked to your enrolled account for compliance verification.

Identifiers. Device identifiers linked to your account for session management and technical support.

Usage Data. In-app activity and feature usage linked to your account for Platform improvement.

Diagnostics. Crash data and performance data linked to your account for technical support.

Data Not Linked to You

Aggregate, de-identified usage metrics that cannot be linked to any individual user.

Data Not Collected

Financial information, contacts, browsing history, search history, sensitive information (beyond health and location as noted above), and other data types not listed above.